Computer Malware Attack

Computer code on a screen with a skull representing a computer virus / malware attack. (Getty images)

WASHINGTON — The Biden administration wants to rebalance the responsibility of defending cybersecurity to the “most capable and best positioned actors” in the US and set mandatory critical infrastructure cybersecurity requirements, according to the new National Cybersecurity Strategy.

The 35-page strategy, released today, calls for securing the US’s digital future and making the digital ecosystem defensible and resilient against foreign adversaries like China and Russia

“The president’s strategy fundamentally reimagines America’s cyber social contract,” Kemba Walden, acting National Cyber Director, told reporters on Wednesday ahead of the strategy’s release. “It will rebalance the responsibility for managing cyber risk onto those who are most able to bear it. Today, across the public and private sectors, we tend to devolve responsibility for cyber risk downwards.

“We ask individuals, small businesses and local governments to shoulder a significant burden for defending us all,” she continued. “This isn’t just unfair, it’s ineffective. The biggest, most capable and best positioned actors in our digital ecosystem can and should shoulder a greater share of the burden for managing cyber risk and keeping us all safe.”

The strategy doesn’t go into detail about how specifically the administration will try to shift that “burden,” but it says that protecting data and assuring critical systems are reliable needs to be the responsibility of the owners of those systems and the technology providers that make those systems. Read as is, that would seem to shift responsibility of, say, a local school system’s IT network from school administrators and towards the larger company who provides the capabilities.

“Together, industry and government must drive effective and equitable collaboration to correct market failures, minimize the harms from cyber incidents to society’s most vulnerable, and defend our shared digital ecosystem,” according to the strategy.

“We will use Federal purchasing power and grant-making to incentivize security,” according to the strategy. “And we will explore how the government can stabilize insurance markets against catastrophic risk to drive better cybersecurity practices and to provide market certainty when catastrophic events do occur.”

Foreign Threats

The strategy specifically calls out China as being the “broadest, most active, and most persistent threat to both government and private sector networks and is the only country with both the intent to reshape the international order and, increasingly, the economic, diplomatic, military, and technological power to do so.” It also calls out Russia for using its cyber capabilities to “destabilize its neighbors and interfere in the domestic politics of democracies around the world” and notes that Iran and North Korea are quickly catching up.

Anne Neuberger, the deputy national security advisor for cyber and emerging technology, said that the strategy comes at a pivotal time where over the last year cyber threats have evolved, whether its ransomware attacks executed by Russia or Iranian intelligence services attacking Albania’s government networks. 

“Here at home, we’re no stranger to these sorts of threats, which is important, because the Biden administration’s fundamental commitment is that Americans must be able to have confidence that they can rely on critical services – hospitals, gas pipelines, air water services – even if they are being targeted by our adversaries,” Neuberger said. 

The strategy is built on five core pillars: defending critical infrastructure by expanding minimum cybersecurity requirements for critical sectors; disrupting and dismantling threat actors; placing more responsibility on those who are best positioned to reduce risk in the digital ecosystem and shifting the consequences away from the most vulnerable; investing in a resilient future; and forging international partnerships. 

Work under the critical infrastructure pillar is already underway, Neuberger said, and the strategy codifies the first two years of the administration’s work on putting in place minimum cybersecurity requirements for pipelines and railways.

She added that the administration is expected to announce additional sectors in the future and recognizes that it needs to move from just a public-private partnership information sharing approach to implementing minimum mandates. 

“Information sharing and public-private partnerships are inadequate for the threats we face when we look at critical infrastructure,” she said. “As I said, we’ve made major progress in executing this as a core Biden administration commitment in the first two years, and we’ll continue to carry it forward with the executive branch authorities we have in place and working with Congress to develop those limited additional authorities we may still need.”

Setting targeted requirements for critical infrastructure is a “big shift” compared to previous cyber strategies from the White House, a senior administration official said on background.

“That’s a major departure from the past,” the official said. “The other shift is to look at how we think about liability for software manufacturers, something that has not been in previous strategies. And I think the other thing I would note is the major shift…on how we’re really bringing all instruments of national power against cybercrime in the form of ransomware. And so, the strategy is meant to pull together all of these threads and then provide us a direction forward.”

Matt Hayden, vice president of cyber client engagement at General Dynamics Information Technology, told Breaking Defense that as part of implementing the critical infrastructure requirements, there will likely need to be “some level of legislative work to get some authorities in place for some of these agencies that are just a little bit needing of tweaks.”

Hayden, who previously worked for the Cybersecurity and Infrastructure Security Agency and the Department of Homeland Security, added that while the US will still be “very surgical” in using cyber offensive tools against an attacker, it’s going to be used in a way that hasn’t been publicly leveraged in the past. 

The White House is expected to release a “public snapshot” of the cyber strategy’s implementation plan within the “coming months,” an official said.